A new version of the Tanatos (aka
Bugbear) Internet worm has been detected

I just
checked my email today and so far, I have received 10 copies
of the highly dangerous and new release of the BugBear computer worm,
also being referred to as the Tanatos worm.

" Kaspersky Labs, an international data
security software developer, reports the detection of a new version
of the "Tanatos" Internet worm -

Tanatos.b (aka Bugbear.b). The new
version of this malicious program has an array of dangerous
functions. Tanatos.b can infect the executable files of many
programs as well as cause the leakage of confidential information.
Presently, numerous incidences of infection at the hands ofTanatos.b
have been registered. The Tanatos.b Internet worm spreads via e-mail
as a file attachment. Thee-mail message itself can have various
subjects, message texts, and file attachment names. Infection occurs
when the file attachment harboring the malicious code is activated,
once this happens the spreading routineis begun. There are several
ways to launch the hazardous file via the FRAME breech in the
Internet Explorer security system (which starts the worm upon
message opening), manually when a user opens the infected file
attachment or through local area networks.

When installing, Tanatos.b copies
itself under random file names into the Windows registry auto-run
keys, creates files in the Windows system directory as well as
copies itself into the Windows directory and tem files directory.

Next the worm starts its spreading
routine using the built-in SMTP engine. To send itself out via
e-mail, Tanatos.b looks for e-mail addresses by scanning the
available drives for files with the following extensions
*.ODS, *.INBOX, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX.

Tanatos.b has several dangerous
functions. It infects the executable files in the Windows operation
system. In the list of objects infected by Tanatos.b there are
executable files from many other popular programs including Outlook
Express, Internet Explorer, WinZip, the KaZaA file sharing system,
ICQ and MSN Messenger.

Additionally, the new version of
Tanatos has the ability to function as a backdoor program, allowing
the virus's creator to control infected machines and gain access to
confidential information. To accomplish this, the worm opens port
1080, through which it can do the following

* Transfer hard drive data
* Copy, open and delete files
* Inform about active applications and to close them
* Load files from remote computers and send keyboard log reports to
the virus author
* Setup an http server
The first version of the Tanatos Internet worm was detected in
September 2002. At that time Tanatos caused a huge number of
infections the world over. The worm combined the functionality of an
Internet worm with that of a Trojan program, making it an
exceptionally dangerous program capable of leaking out confidential
information.

Kaspersky Lab Corporate Communications

According to reports
published in recent days in the computer media, BugBear has
surpassed the infamous Klez in becoming the fastest spreading
computer worm or virus in history.

Kaspersky Labs and Panda, two major
providers of free online virus scans, each now report that nearly
20% of computers infected with malicious code now have the BugBear
worm. The Helsinki based antivirus and computer security firm
F-Secure rates the BugBear worm as the worst current computer
security outbreak. Symantec, publisher of the popular Norton
AntiVirus rates the threat as “severe”. McAfee considers the
risk as “high”.

This new worm, or piece of code, is written in the common and
popular C++ language, and combines the worst of the Badtrans virus,
the Klez worm, and a backdoor Trojan into one extremely dangerous
program. Capable of destroying both antivirus software and firewall
protection on an infected computer, this nefarious program can also
spread rapidly through a network to all computers connected, and
through email utilizing its own integral mail program.

Just like the Klez, which until the recent introduction of the
BugBear, had been the most rapidly spread virus or worm, BugBear
targets the highly publicized security holes in Microsoft’s web
browser Internet Explorer versions 5, 5.5, and 6, as well as
Microsoft’s popular email programs Outlook and Outlook Express.
Despite the fact that Microsoft released a heavily promoted patch to
close these holes about a year ago, and is included in “Windows
Update” integral in all versions of Windows since Windows 95
(click on START - WINDOWS UPDATE while online, and download the
customized and free “Critical Update” compiled by Microsoft),
millions of Windows users have never installed the patch. Now, in
exchange for their complacency, these users are at extreme risk of
having their personal information stolen by hackers. There is a real
chance of having their identity stolen (referred to in law
enforcement as “Identity Theft”), private or confidential
information accessed, credit card and banking information
compromised, and any files on the hard drive available to a hacker
to read, modify, or delete at will.

The BugBear, just like the Klez, Yaha, and similar variants, can
be activated by simply opening an email containing the malevolent
code, or allowing the infected email to appear in the preview pane
of any of the unpatched versions of Outlook or Outlook Express. With
email programs other than the Outlook series, opening the attachment
containing the worm will infect the users’ computer. Once
infected, antivirus and firewall utilities will be crippled, with no
indication of that fact being noticeable by the user. BugBear will
then attempt to replicate itself both by repeatedly emailing itself
to addresses in the user’s address book (the idea of beginning an
email address with “!0000” to prevent this is a HOAX), using a
variety of subjects, email content, and attachments, as well as
sending itself out over a network to all computers so connected.
Using the popular human engineering technique of sending the
infected emails to addresses in the victim’s address book, the
malignant messages will appear to be from a person known to the
recipient. Multiple references to the worm are written to the
registry and “.INI” files, ensuring that BugBear is loaded each
time the computer is booted. There are no clearly visible
indications to the user that a computer is infected. Once installed
on the victim computer, a utility to capture the user’s keystrokes
is activated, enabling a hacker to see user names, passwords, credit
card numbers, and any other information or data entered. A “backdoor
Trojan” is activated allowing access to the infected machine, the
downloading of the keystrokes by the hacker, and unrestricted access
to all files and documents on the computer. Since BugBear itself is
transparent, and not apparently destructive, the user will likely
never know his computer is infected, and outsiders can access his
computer remotely. Antivirus software will still appear to be loaded
and updated, and firewalls will appear to function, but in reality
they will be useless. Frequently updated antivirus software offers excellent
protection, but only if updated with the BugBear information prior
to the infection. Practicing “safe hex” and deleting suspicious
emails and attachments before they can appear in a preview pane can
greatly reduce the chance of infection.

Since BugBear is written in the common C++ language, it is likely
that some wicked programmers may modify the code, and create
variants to get around the protections offered by recently updated
antivirus software, just as what happened with many variants of the
Klez worm.II